9:58 a.m.
Hi All,
one of the challenges we had with JBossWeb was principal mapping
after authentication. It was hard as hell to do that. I wished for a
mechanism where the authentication call would have a post authentication
callback to see if the original principal has been mapped to something
else. This is a use case seen in integration with third party security
systems including commercial vendors.
I have not dug into Undertow security codebase to see if this is
possible yet but I wanted to put this to the dev list so that we can
discuss it.
Regards,
Anil
2:34 a.m.
At the moment we don't have the ability to do this, but we could potentially add it.
It does get a bit tricky however, say we just expand the SecurityNotification mechanism to
allow you to wrap the account after login. This would work from Undertow's
perspective, however it is likely that there is other code that expects the account to be
of a certain type, that will now fail because of the wrapper.
We would also have to look carefully at how this would with with the
JAASIdentityManagerImpl in the Wildfly code base, as it appears that we will be stuck with
that for a while yet. To make this work properly with the rest of Wildfly we would
probably actually need to implement this inside the JAAS IDM itself, to make sure the
Picketbox SecurityContext is setup correctly.
Stuart
----- Original Message -----
From: "Anil Saldhana" <Anil.Saldhana(a)redhat.com>
To: undertow-dev(a)lists.jboss.org
Sent: Tuesday, 3 September, 2013 4:58:25 PM
Subject: [undertow-dev] Principal mapping after authentication
Hi All,
one of the challenges we had with JBossWeb was principal mapping
after authentication. It was hard as hell to do that. I wished for a
mechanism where the authentication call would have a post authentication
callback to see if the original principal has been mapped to something
else. This is a use case seen in integration with third party security
systems including commercial vendors.
I have not dug into Undertow security codebase to see if this is
possible yet but I wanted to put this to the dev list so that we can
discuss it.
Regards,
Anil
_______________________________________________
undertow-dev mailing list
undertow-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/undertow-dev
9:01 a.m.
Hi Stuart,
this mapping has to happen before any security context is set up for
propagating the identity to other subsystems such as EJBs. I think you
are in agreement.
The Undertow security framework has to have some callback mechanism to
switch the identity with which the authentication call was made.
Let me dig into the undertow code using your email as guidance.
Regards,
Anil
On 09/04/2013 02:34 AM, Stuart Douglas wrote:
At the moment we don't have the ability to do this, but we could
potentially add it.
It does get a bit tricky however, say we just expand the SecurityNotification mechanism
to allow you to wrap the account after login. This would work from Undertow's
perspective, however it is likely that there is other code that expects the account to be
of a certain type, that will now fail because of the wrapper.
We would also have to look carefully at how this would with with the
JAASIdentityManagerImpl in the Wildfly code base, as it appears that we will be stuck with
that for a while yet. To make this work properly with the rest of Wildfly we would
probably actually need to implement this inside the JAAS IDM itself, to make sure the
Picketbox SecurityContext is setup correctly.
Stuart
----- Original Message -----
> From: "Anil Saldhana" <Anil.Saldhana(a)redhat.com>
> To: undertow-dev(a)lists.jboss.org
> Sent: Tuesday, 3 September, 2013 4:58:25 PM
> Subject: [undertow-dev] Principal mapping after authentication
>
> Hi All,
> one of the challenges we had with JBossWeb was principal mapping
> after authentication. It was hard as hell to do that. I wished for a
> mechanism where the authentication call would have a post authentication
> callback to see if the original principal has been mapped to something
> else. This is a use case seen in integration with third party security
> systems including commercial vendors.
>
> I have not dug into Undertow security codebase to see if this is
> possible yet but I wanted to put this to the dev list so that we can
> discuss it.
>
> Regards,
> Anil
4099
days inactive
4100
days old
2 comments
2 participants
participants (2)
-
Anil Saldhana -
Stuart Douglas